On the interface faing the internal network I used ospf between the firewall interfaces and the internal network .

On the other side static route configured towards the internet routers

for the mile between the ISG and the internet routers a private IPs are assigned . I have been provided with a public internet ranges as this firewall shall be used as a internet firewall doing natting operation + IPSEC

I have trust VR for the internal network and an Untrust VR for the internet facing networks .

I have created a loopback associate it with Untrust zone and terminate the public IP range on and I have tried to traceroute from the ISG console using this interface no hope

I have tried also to make a nat policy from trust to untrust and make DIP from the loopback assigned range and tried to ping from the firewall with no hope also

My questions are :-

1- Is the using of the loopback is it a sufficient way or not ?

2- Making a successful traceroute or ping to the internet from the firewall it self

3- make sure that the tarffic comming from the internal network will be natted to the public range

Re: ISG internet firewall deployment

I believe DIP pools must be defined on the outgoing interface of a particular session in order for the them to work properly.

As for the loopback, try to assign just a /32 to it try pinging from it. I'm not quite certain why it's not working.

As for IPSEC, choose a public /32, and assign to a loopback (or a VSI made from a loopback if you have an NSRP cluster), and use that as an outgoing interface when you configure your VPN Gateway. That should work quite alright.

Finally, the Untrust zone, by default, blocks intra-zone traffic, so you'll have to define yourself a policy to allow PING out.

2- Making a successful traceroute or ping to the internet from the firewall it self - Yes. Use trace x.x.x.x from loop.z or ping x.x.x.x from loop.z

3- make sure that the tarffic comming from the internal network will be natted to the public range - Yes. Enable src-NAT to the egress interface IP in Trust-to-Untrust policies. The loopback interface is the egress one.

4- Terminating the IPSEC on the IP used for the loopback - Yes. Configure an Untrust-to-Untrust policy for Any-to-Any that allows IKE. This is required if IPSec is terminated on a loopback interface and intrazone traffic blocking is enabled (default for Untrust zone). Sure, the policy may be more restrictive in relation to the allowed IPs.

Re: ISG internet firewall deployment

Many thanks Edouard for you extensive solution and answering back all my questions.

I need clearification for some points below:-

-- Putting the ethx interface in a group with the loopback will not affect the routing on these interfaces I mean if there is routing entries associated already with ethx it will not be affected

3- make sure that the tarffic comming from the internal network will be natted to the public range - Yes. Enable src-NAT to the egress interface IP in Trust-to-Untrust policies. The loopback interface is the egress one.

--In the nat configuration I should configure the untrust interface which is in the same group on the loopback is that right

4- Terminating the IPSEC on the IP used for the loopback - Yes. Configure an Untrust-to-Untrust policy for Any-to-Any that allows IKE. This is required if IPSec is terminated on a loopback interface and intrazone traffic blocking is enabled (default for Untrust zone). Sure, the policy may be more restrictive in relation to the allowed IPs

--Opening any to any IKE policy my be cause a security risk , is there is any other way to use in order to limit this access ? I mean to be able to make termination of the IPSEC on the loopback and have a good restriction at the same time

The last question is how , how should I apply the loopback interface IP configuration ? should I use the whole public IP subent (/29) or should I use only /32 one .

Re: ISG internet firewall deployment

-- Putting the ethx interface in a group with the loopback will not affect the routing on these interfaces - All interfaces added to a loopback group retain their associated routes. Also, a loopback interface cannot be used as a routing interface in the routes.

-- In the nat configuration I should configure the untrust interface which is in the same group on the loopback is that right- There is not such an option in the policy src-NAT. If you activate the src-NAT you can select either a DIP or egress interface IP. The loopback interface is the egres one in this case. If you add another eth interface to the same loopback group, which has a route to Internet, the packets will be also src-natted to the loopback interface IP.

Sure, you can also use DIPs configured on the loopback interface.

--Opening any to any IKE policy my be cause a security risk - Is not, indeed. Theoretically, if the ISP routers are manipulated your FW may be misused for IKE flooding of the foreign hosts. But, as I wrote, the policy may be more restrictive in relation to the allowed IPs. Create an Untrust address object with the IP of the loopback interface and configure two Untrust-to-Untrust policies:

Loopback IP Object - Any, service IKE

Any - Loopback IP Object, service IKE

Any can also be replaced with the known IPs if you have a site-to-site IPSec to the GWs with the static IPs.

Generally you need similar policies for any traffic terminated on (originated from ) the loopback interface (e.g. ping, telnet etc).

The last question is how , how should I apply the loopback interface IP configuration ? - This plays no significant role. The /29-network is already routed by the ISP towards the private eth interface IP. You can configure the loopback interface as /32 and use the rest of addresses for DIPs, MIPs and VIPs. In this case they are in a "foreign" network and you can run accross the certain limitations. You'd better use /29 and configure the NAT objects in their "home" network.

Re: ISG internet firewall deployment

I have been confirmed by the ISP that the real range of the loopback is already routed. I have tried to make traceroute from the loopback interface and this gives me an error . How I can verify where the traffic actually stopped or what is the main cause ?.

Re: ISG internet firewall deployment

I have made what you mentioned about creating a nat policy from trust to untrust with interface nat,, the packts goes no where and the traceroute doesn't shows any hop ,,!! I have made sure that there is a default route configured on the trust VR to point the traffic to the internet router

The ping test to the ISP routeres from the untrust interface done without any problem

By the way there is a router between the ISG and the isp routers and it doing a basic traffic routing operation.